We have now a 5555-x with a number of interfaces. Our Outdoors interface and DMZ interfaces have routable IP addresses and DMZ subnet is routed through IP tackle of the surface interface.
Stripped for readability.
interface GigabitEthernet0/0
nameif outdoors
security-level 0
ip tackle 123.123.6.243 255.255.255.248
interface GigabitEthernet0/1
nameif inside
security-level 50
ip tackle 192.168.50.4 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip tackle 123.123.27.129 255.255.255.224
object-group community newprod-hosts
network-object host 123.123.27.134
route inside 192.168.60.0 255.255.255.0 192.168.50.1 1
I’m making an attempt to PAT 123.123.27.134 port 22 to 192.168.60.20 port 22
object community inside-ssh-host
host 192.168.60.20
nat (inside,dmz) static 123.123.27.134 service tcp ssh ssh
access-list OUTSIDE prolonged allow tcp any host 123.123.27.134 eq ssh
Nonetheless, once I try this, and attempt to telnet to port 22 on 123.123.27.134 I find yourself on a server that doesn’t even belong to us and SSH model that I don’t count on. Humorous factor is, If i take away the ACL listed above, I can now not entry that port, so it’s apparent that our ASA is doing one thing unusual…..
% telnet 123.123.27.134 22
Making an attempt 123.123.27.134...
Linked to www..com.
Escape character is '^]'.
SSH-2.0-OpenSSH_4.3
^]
Am I doing one thing mistaken right here, or do we have to contact our upstream supplier to determine what is occurring there?
EDIT: We have now not too long ago acquired this DMZ subnet from the upstream supplier, however ACL primarily based routing of net site visitors to our F5 sitting behind this ASA is working superb.
EDIT 2: Once I do whois on this subnet (123.123.27.128/27), it returns the data of the earlier assignee, who had a bigger 123.123.27.128/26 subnet